Analysis

North Korea’s Lazarus Group Behind The $100 Million Theft On Harmony?

Harmony attackers transferred over 18,000 ETH to three addresses, most of which was subsequently transferred to Tornado Cash in batches of 100 ETH. The attacker’s wallet also contained 49,794 ETH. Elliptic appears to be a North Korean hack similar to the Ronin hack.

Lazarus Group is the top suspect

On the morning of June 24th, over $100 million in cryptoassets was stolen from Horizon Bridge – a service that allows assets to be transferred between the Harmony blockchain and other blockchains.

The stolen cryptoassets included Ether (ETH), Tether (USDT), Wrapped Bitcoin (WBTC) and BNB. The thief immediately used Uniswap – a decentralized exchange (DEX) – to convert much of these assets into a total of 85,837 ETH. This is a common laundering technique used to avoid seizure of stolen assets.

The Horizon Bridge hacker has so far sent 41% of the $100 million in stolen cryptoassets into the Tornado Cash mixer.

Following the trail after the Horizon hack. Source: Elliptic

Mixers such as Tornado Cash are used to hide the transaction trail. However, Elliptic has used its Tornado demixing capability to trace all of the stolen funds through Tornado and onwards to other wallets. Users of Elliptic’s solutions can now screen wallets and transactions for links to the stolen funds – even those that have passed through Tornado.

According to the analysis of Elliptic, it is consistent with the activities of Lazarus Group – a cybercrime group with close links to North Korea.

  • The Lazarus Group has perpetrated several large cryptocurrency thefts totaling over $2 billion, and has recently turned its attention to DeFi services such as cross-chain bridges. For example, the group is believed to be behind the $540 million hack of Ronin Bridge.
  • The theft was perpetrated by compromising the cryptographic keys of a multi-signature wallet – likely through a social engineering attack on Harmony team members. Such techniques have frequently been used by the Lazarus Group.
  • Lazarus Group tends to focus on APAC-based targets, perhaps for language reasons. Although Harmony is based in the US, many of the core team have links to the APAC region.
  • The regularity of the deposits into Tornado over extended periods of time suggests that an automated process is being used. We have observed very similar programmatic laundering of funds stolen from the Ronin Bridge, which has been attributed to Lazarus, as well as a number of other attacks linked to the group.
  • The relatively short periods during which the stolen funds stop being moved out of Tornado cash are consistent with APAC nighttime hours.

The stolen funds as the laundering progresses, and will update its tools to reflect the movement of these assets.

DISCLAIMER: The Information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing.

Join CoinCu Telegram to keep track of news: https://t.me/coincunews

Follow CoinCu Youtube Channel | Follow CoinCu Facebook page

Foxy

CoinCu News

Victor

Recent Posts

Dogecoin Price Reaches 5-Month High: Here’s What’s Driving The Increase 

The Dogecoin price has reached a five-month high, and investors should buy the Ethereum token…

2 hours ago

Best Cryptos to Invest in Now: Don’t Miss Out on These Potential Game-Changers!

Crypto isn’t just for the tech-savvy anymore; it’s for everyone. As more people jump into…

3 hours ago

Trust Wallet CEO Backs Web3, Plus Wallet’s Top-Tier Encryption Ensures Secure Asset Access Amid Crypto Liquidation Hits $277M

Read how Plus Wallet’s top-tier ensures secure, unified digital asset management. Get the latest updates…

6 hours ago

Former Alameda CEO Will Now Serve 2-Year Sentence

Former Alameda CEO Caroline Ellison reported to a Connecticut federal prison on November 7 after…

7 hours ago

Degen Rollup Key Issue Forces Possible Chain Restart

Degen Rollup Key Issue: Conduit seized Degen’s L3 private key, causing 54 hours of downtime…

7 hours ago

This website uses cookies.